Blog

This also contributes to the fact that all over the world, personal information is stolen, and the victims are never notified of the attack. It’s not feasible to contact every person infected with some malware, obviously. But, having an open channel to law enforcement and being open with sharing data might be a good thing. Here's why...

I recently found a website that tried to exploit people with an old, well-known banking Trojan dubbed "the Briz Trojan". Initially I was amazed that this old ragdoll was still ‘kicking,’ but when I looked at the web-based administrator GUI that the malware authors had made, the statistics increased each day. So I decided to revisit the old relic, and discovered that most of the websites that were live back in 2006 are still alive today. The Trojan sends captured usernames, passwords, screenshots, and other sensitive information to a central server, so next step would be to dump the information from the master server.

I’m from Norway, so I was initially looking for any infections from the Nordic region, and I didn’t have to look too long before I found what I was looking for. Norway, as well as almost every other major country in the world had been hit by this Trojan.

After I logged on to the master server, it became obvious that one of the main objectives of the attacker was to gather email addresses as well as the sensitive information mentioned above. I found a Perl script on the server that would loop though all the key-logged information, and extract any email addresses. These are very often sold for a lot of money in the underground community. The number of emails harvested reached several hundred thousand after running the Perl script.

Moving on, the next step of the investigation was to filter out all victims from Norway. That alone was well over 300 text files. Once that was filtered, I was left with a shocking result. The attackers had managed to capture:

• Username / password / security codes for a majority of the Norwegian banks
• MSN conversations, including well-known business executives talking about how to fire employees
• Credit card transaction history
• Screenshots of almost every computer (during banking activities)
• Username / password for cell phone management
• Social security numbers
• Victim-specific information such as:
  • Name
  • Address
  • Phone number
  • Social status
  • Annual salary
  • Email
  • Mortgage details
  • Surfing habits

By accessing the "map" button in the admin GUI, you could see the ISP's geographical location. It will query both Google's and Yahoo's map services.

Furthermore, you could access the hard drive of a lot of the victims through a web server that was installed on the infected PC.

So the point I’m trying to make is that it’s no longer enough to just block the bad stuff, something we did back in 2006. We have to take action to get the malware amount down. Internet crime today is somewhat like the old Wild West. Yeah, if you commit a crime in front of the sheriff, sure ... you would be caught. But if you had a couple of tricks up your sleeve, you could go unnoticed for quite a long time. Like the guys behind the Briz Trojan.

From a company perspective, sending information to law enforcement takes 5 minutes to do, and it makes a difference. Only the Norwegian law enforcement agency has been contacted in this case. All victims in Norway have been contacted by Norwegian police. If you are a member of a law enforcement agency and want information about the possible damage this Trojan has done in your country, you can contact me directly at pnylokken |at| websense.com. Please note that the information will be given only to law enforcement and no private parties, due to the sensitivity of this material. It is believed that organized criminals in Russia are behind the majority of the Briz servers.

Researcher: Preben Nyløkken